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@ Method for providing variable authority level user access control In a distributed data processing 
systent. 

@ The method of the present invention may be 
utilized to provide variable authority level user 
access control for a plurality of resource 
objects within a distributed data processing 
s^em having a plurality of resource managers. 
A reference nrwnitor service is established and a 
plurality of access control profOes are stored 
therein, each including an identification of a 
selected user and a specified level of authority 
associated with that selected user. Thereafter, 
selected access control profiles are exchanged 
between the reference nionltor service and a 
resource manager in response to an attempted 
access of a particular resource object control- 
led by that resource manager. The resource 
manager may then control access to the resour- 
ce object by utilbiing the exchanged access 
control profite to determine the extent access Is 
pennitted by means of the specified level of 
authority contained therein. In a prefen^d 
embodiment of the present Invention, the ac- 
cess intent of a selected user is detenmined in 
conjunction with an attempted access of a par- 
ticular resource object and stored. Thereafter, a 
comparison of the stated access intent with the 
spedfted level of authority contained within the 
access control profile nuiy be utilized to grant 
or deny access. 
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METHOD FOR PROVIDING VARIABLE AUTHORITY LEVEL USER ACCESS CONTROL IN A 
DISTRIBUTED DATA PROCESSING SYSTEM 



BACKGROUND OF THE INVENTION 
Technical Field 

The present Invention relates to data processing 
systems In general and in particular to Improved 
methods of providing access control for a plurality of 
resource objects within a distributed data processing 
system. Still more particularly, the present Invention 
relates to a system which permits variable authority 
level access control throughout a distributed data pro- 
cessing system. 

Description of the Related Art 

Security and access control systen)s In computer 
based data processing systems are well known In the 
prior art. Existing access control systems are gener- 
ally oriented to a single host system. Such single host 
access control systems are generally utilized to pro- 
vide security for the host and access control to appli- 
cations and system resources, such as files. Each 
application must generally provide access control for 
the resources controlled by that application. 

One example of an access control system desig- 
ned for utilization with the IBM 370 system is a product 
called RACF. or Resource Assets Control Facility. 
RACF offers access control for applications, such as 
files or CICS transactions and Is hierarchically orien- 
ted in access authority levels and grouping of users. 
RACF is a "password" oriented access control system 
and access is granted or denied based upon a user's 
individual identity and his or her knowledge of an 
appropriate password to verify that identity. The 
RACF system is, however, oriented to a single host 
system and cannot be employed in a distributed data 
processing system which employs nrrultiple hosts 
associated with separate groups of resource objects, 
due to the fact that this system does not allow the 
interchange of access control infomnation finom one 
host to another. Further, the RACF system does not 
permit a user to access a resource object at one of a 
plurality of authority levels. That is, for example, Itmay 
desired to pennit a user to read a particular resource 
object, but not alter that object. 

Another example of known access control sys- 
tems is AS/400. The AS/400 system Is a capability 
based system In which security Is based upon each 
individual resource object. Each user is authorized to 
access individual resource objects based upon the 
user's capability within the system. The AS/400 sys- 
tem maintains security by keeping User Profiles, 
Object Authority, and System Values within the 
architecture of the machine itself. As above, this sys- 



tem is highly efficient at controlling access to resource 
objects controlled by a single host; however, access 
to resource objects located within a distributed data 
processing system containing multiple hosts cannot 

6 be controlled. That is, access to a resource object 
controlled by one host cannot be obtained by a user 
enrolled at a second host As above, the AS/400 sys- 
tem does not pemilt the system controller to vary the 
level of authority enjoyed by a particular user with res- 

10 pect to a selected resource object. 

One other example of an access control system 
Is the DB2 product. This product penmits a more flexi- 
ble access control and offers granular or bundled 
access control authority. For example, the DB2 sys- 

is tem may utilize special authorities for administration 
or database operatk>ns. Further, access privilege may 
be bundled into a specified authority or role so that a 
user may access specific resource objects based 
upon the user's title or authority level, rather than the 

20 user's personal klentity. However, as above, the DB2 
system does not possess the capability of exchanging 
access control infomnation with non-DB2 applications. 

Therefore, It should be obvk)us that a need exists 
fbr a method of providing variable authority level user 

25 access control in a distributed data processing sys- 
tem whereby access to selected resource objects 
may be controlled throughout the distributed data pro- 
cessing system by specifying the level of authority 
assodated with a specific userfbr a selected resource 

30 object and then only permitting access to that 
resource object to the extent previously specified. 

SUMMARY OF THE INVENTION 

36 It is therefore one object of the present invention 
to provide an improved data processing system. 

It Is another object of the present invention to pro- 
vide an Improved method of provkiing access control 
for a plurality of resource objects within a distributed 

40 data processing system 

It is yet another object of the present I'nventkm to 
provide an improved method of providing access corv 
tro) for a plurality of resource objects within a distr^ 
buted data processing system which penmits a 

45 variable level of authority to be specified for each user 
within a disblbutad data processing system, with 
regard to specific resource objects. 

The foregoing objects are achteved as Is now 
described. The method of the present inventton may 

50 be utilized to provide variable authority level user 
access control fora plurality of resource objects within 
a distributed data processing system having a 
plurality of resource managera. A reference monitor 
service Is established and a plurality of access control 
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profiles are stored therein, each Including an tdentifi- 
catlon of a selected user and a specified level of 
authority associated with that selected user. Thereaf- 
ter, selected access control profiles are exchanged 
between the reference monitor service and a resource 5 
manager in response to an attempted access of a par- 
ticular resource object controlled by that resource 
manager. The resource manager may then control 
access to the resource object by utDiztng the 
exchanged access control profile to determine the io 
extent access Is pemiltted by means of the specified 
level of authority contained therein. In a preferred 
embodiment of the present invention, the access 
Intent of a selected user is detemnlned In conjunction 
with an attempted access of a particular resource is 
object and stored. Thereafter, a comparison of the 
stated access intent with the spedfied level of 
authority contained within the access control profile 
may be utilized to grant or deny access. 

20 

BRIEF DESCRIPTION OF THE DRAWINGS 



art will appreciate that a plurality of Interactive Woilc 
Stations (IWS) coupled to a host processor may be 
utilized for each such network. 

As is common in such data processing systems, 
each individual computer nrtay be coupled to a storage 
device 14 and/or a printer/output device 16. One or 
more such storage devices 14 may be utilized, in 
accordance with the method of the present Invention, 
to store appllc&tions or resource objects which may 
be periodically accessed by any user within data pro- 
cessing system B. In a manner well known In the prior 
art, each such applicati'on or resource object stored 
within a storage device 14 is associated with a 
Resource Manager, which is responsible for maintain- 
ing and updating ail resource objects associated 
therewith. 

Sti'll refenring to Figure 1, it may be seen that data 
processing networks may also include multiple main 
frame computers, such as main frame computer 1 8, 
which may be preferably coupled to Local Area Net- 
woric (LAN) 10 by means of communlcattons link 22. 
Main frame computer 18 may also be coupled to a 
storage device 20 which may serve as remote storage 
for Local Area Networic (LAN) 10 . Simllariy, Local 
Area Networic (LAN) 10 may be coupled via communi- 
cations link 24 through a subsystem control 
unitTcommunications controller 26 and communi- 
cations link 34 to a gateway server 28. Gateway ser- 
ver 28 is preferably an Individual computer or 
Interactive Woric Station (IWS) which serves to link 
Local Area Networic (LAN) 32 to Local Area Networic 
(UN) 10, 

As discussed above with respect to Local Area 
Networic (LAN) 32 and Local Area Networic (LAN) 10. 
resource objects may be stored within storage device 
20 and controlled by main frame computer 18, as 
resource manager for the resource objects thus 
stored. Of couree, those skilled in the art will 
appredate that nnain frame computer 18 may be 
located a great geographic distance from Local Area 
Networic (LAN) 10 and simllariy Local Area Networic 
(LAN) 10 may be located a substantial distance from 
Local Area Networic (LAN) 32. That is, Local Area Net- 
work (LAN) 32 may be located in Califomia while 
Local Area Networic (LAN) 10 nnay be located witiiin 
Texas and main frame computer 18 may be located 
in New York. 

In known prior art systems of this type, should the 
user of an Individual computer 30 desire to access a 
resource object stored within storage device 20, 
associated with main frame computer 18, It will be 
necessary for the user of computer 30 to be enrolled 
within the security system of main firame computer 1 8. 
This is necessary In order for tiie user of computer 30 
to present the proper password to obtain access to the 
desired resource object Of course, those skilled in 
the art will appreciate that this technique will prove 
ungainly In distributed data processing systenns, such 



The novel features believed characteristic of the 
invention are set forth in the appended claims. The 
invention iteelf however, as well as a preferred mode 2S 
of use, further objecte and advantages thereof, will 
best be understood by reference to the foltowing 
detailed description of an Oiustrative embodiment 
when read In conjunction with ttie accompanying 
drawings, wherein: so 
Figure 1 depicts a pictorial representation of a dis- 
tributed data processing system which may be 
utilized to implement the method of the present 
inventbn; 

Figure 2 deplete in block diagram form the access 35 
contix)! system utilized with the method of the pre- 
sent invention; 

Figure 3 is a high level flow chart depicting the 
estebllshment C7f a variable authority level user 
access control system In accordance v/ith the 40 
method of the present invention; and 
Figure 4 is a high level flow chart depicting vari- 
able authority level access to a resource object in 
accordance with the method of the present Inven- 
tion. 45 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

With reference now to the figures, and in particu- so 
lar with reference to Figure 1, there Is depicted a pic- 
torial representetion of a date processing system 8 
which may be utilized to implenrvent the method of the 
present Invention. As may be seen, date processing 
system 8 may include a plurality of networks, such as 55 
Local Area Networics (LAN) 10 and 32, each of which 
preferably includes a plurality of individual computers 
12and 30, respectively. Of couree, those skilled In the 
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as data processing system 8 depicted within Figure 1 . 

Referring now to Figure 2, there Is depicted fn 
block diagram fomn the access control system which 
is utilized with the method of the present Invention. As 
is depicted, Local Area Networks (LAN) 1 0 and 32 are s 
Illustrated by dashed lines as Is main firame computer 
18. In each instance resource objects 42, 48 and 54 
are fllustrated In association with each portion of dis- 
tributed data processing system 8 of Figure 1. Of 
course, each object thus illustrated will be stored io 
within one or more storage devices associated with 
each portion of data processing system 8. As is illus- 
trated, Local Area Netwoik 10 includes a resource 
manager 40 which may be one or more Individual 
computers which are utOized to manage selected is 
resource objects. Also established within Local Area 
Network 10 is a Reference Monitor 44. Reference 
Monitor 44, in accordance with the method of the pre- 
sent Invention, Is an application or service which is 
utilized to store access control profiles which may 20 
Include access control Information relating to: selec- 
ted users; selected levels of authority associated with 
selected users; selected resource objects; a selected 
group of users; a selected set of resource objects; or, 
a predetermined set of resource objects and a selec- 25 
ted list of users, each authorized to access at least a 
portion of said predetermined set of resource objects. 

Still referring to Figure 2, it may be seen that 
within Local Area Network CI^N) 33 a resource man- 
ager 46 is illustrated, which is utOized, in a manner do 
well known in the art, to control access to resource 
object 48. Similariy, a Reference Monitor 50 is 
established within Local Area Network (LAN) 32. 
Reference Monitor SO Is, as described atx)ve, prefer- 
ably utilized to store access control profiles relatrng to 35 
individual users within Local Area Netwoik 32 as well 
as resource objects stored within Local Area Network 
32. 

Finally, main frame computer 1 8 Is illustrated as 
including a resource manager 52 which has 40 
associated therewith one or more resource objects 
54. 

In accordance with an Important feature of the 
present invention, any attempted access of a 
resource object, such as resource object 42, 48 or 54 4S 
will automatically result In a query by the associated 
resource manager to one or more Reference Monitor 
applications to detenmlne whether or not the access 
requested will be penmltted. It should be noted that. In 
accordance with the depicted embodiment of the pre- so 
sent Invention, only one Reference Monitor appll- 
catton Is required for data processing system 8; 
however, two are niusb^ted. In accordance with the 
method of the present invention, communications 
links between a single Reference Monitor application ss 
may be established with each and every resource 
manager within data processing system 8 (see Figure 
1 ) so that access to selected resource objects nrmy be 



controlled in accordance with the access control infor- 
mation stored within the profiles within that Reference 
Monitor. 

In this manner, a user within Local Area Network 
(LAN) 32 may, via the communications links depicted 
within Figure 1, request access to a resource object 
54 associated with main frame computer 18. As wDI be 
explained in greater detail herein, resource manager 
52 will then query Reference Monitor 44 and/or Refer- 
ence Monitor 50 to determine whether or not a profile 
exists which permits the requested access. If so. the 
profile Information is exchanged between the approp|^ 
riate Reference Monitor and resource manager 52 
and access to resource object 54 may be pemiitted. 

With reference now to Figure 3, there is depicted 
a high level flow chart depicting the establishment of 
a variable authority level access conbrot system in 
accordance wit the method of the present Invention. 
As is ntustrated, the process begins at block 60 and 
thereafter passes to block 62, which depicts the defi- 
ning of an access control prafliefor an object or group 
of objects, by the associated resource manager. As is 
illustrated, the resource manager may define one or 
more selected users, one or more particular resource 
objects, and the authority level which each user may 
have with respect to a selected object. 

By authority level what is meant is whether or not 
the particular user in question has authority to alter 
the resource object in question, read the resource 
object in question, take any action with respect to the 
resource object or no action with respect to the 
resource object Thereafter, block 64 illustrates the 
storing of that profile within a Reference Monitor appli- 
catton. 

Next, block 66 illustrates a detemiinatlon of 
whetheror notadditk)nal profiles are to be established 
and If so, the process returns to block 62 and con- 
tinues thereafter In an Iterative fashion. In the event 
no additional profiles are to be created, the process 
passes to block 68 and temnlnates. 

Finally, referring to Figure 4, there is depicted a 
h^h level flow chart depleting access to a resource 
object in accordance with the method of the present 
Invention. As Is illustrated, the process begins at block 
70 and thereafter passes to block 72 which fllustrates 
the receipt by a resource manager of an access 
request for a resource object within that resource 
manager's purview. Next, the process passes to block 
74 which Illustrates a query by the resource manager 
to that userto detervpine theaocess i ntent of the u ser 
with re gard to the resource objert 'in questio n. As 
utilized herein^ the phrase ^access intent* shall mean 
a determination of whether or not the user desires to 
take any of the following actions with regard to a 
selected resource object view, update, delete object, 
grant access, create relationships, or, delete relation- 
ships. Of couree, this list is not meant to be alMndu- 
sive or limiting in nature. 
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Next, block 76 Slustrates a query by the resource 
manager to one or more Reference Monitor applt- 
cations which may exist within the distributed data 
processing system to detenmine whether or not an 
access control profile exists for the resource object or s 
user in questk>n. Block 78 then illustrates the logging 
of this access attempt at the Reference Monitor appli- 
cation. Such logging shall preferably Include the stor- 
age of an Identiflcatton of the particular user, the 
selected resource object and the stated intent of the lo 
user with regard to that particular resource object 
Next, block 80 depicts the retrieval of the appropriate 
access control profile for the particular user or object 
in question. Block 82 then illustrates a detennination 
of whether or not access to the selected resource i$ 
object Is pennitted, in accordance with the infonmation 
contained within the retrieved profile. 

In the event access to the resource object In 
question is not pennltted, as detenmined by the 
access control profile thus retrieved, block 84 illus- 20 
trates the denial of access to the requested resource 
object by means of an appropriate message to the 
requester. 

In the event access to the resource object In 
question is to be permitted, as detenmined In block 82, 26 
then block 86 illustrates a determination of whether or 
not the access control profile Indteates the user In 
question has a sufficient authority level for the access 
intent which has been entered. If not, block 84 once 
again illustrates the denial of access to the requested so 
resource object with an appropriate message to the 
requester. Of course, tt^ose skilled in the art will 
appreciate that where access has been denied due to 
insufficient authority level, a message may be dis- 
played to the requester indicating that the access 35 
intent entered exceeds his or her authority level for the 
resource object In question. Thereafter, a different 
access intent may be entered by the requester. 

Finally, in the event the authority level contained 
witiiin the access control profile for a particular user 40 
and a selected resource object Is sufficient for the 
access intent entered by the user, as detenmined in 
block 86, then block 88 illustrates the accessing of the 
object in question. Thereafter, the process termi- 
nates, as illustrated In block 90. 45 

Upon reference to the foregoing, those skilled In 
the art will appreciate that by utilizing a plurality of 
access control profiles stored within a reference moni- 
tor service, in accordance with the method of the pre- 
sent invention, It will be possible to define multiple so 
levels of authority which may exist for each user 
authorized to access a particular resource object. For 
example, a group of users may be authorized to 
access a particular object only to view that object and 
not to update, delete, or modify that object Furttier, ss 
other selected users may have full authority to modify 
or delete the resource object as they desire. By utili- 
zing the method of the present invention, it will be 



possible to restrict the authority with which each user 
witiiin tiie system may enjoy with respect to a particu- 
lar resource object so that access to those resource 
objects may not Indude a concomitant ability to alter 
or delete the resource object In question. In this man- 
ner, information may be mote widely disseminated 
while protecting the integrity of the resource objects 
containing such Infonmation. 

While the Invention has been particularly shown 
and described with reference to a preferred embodi- 
ment, it will be understood by those skilled in the art 
tiiat various changes In form and detail may be made 
Uierein without departing from the spirit and scope of 
the invention. 



Claims 

1. A method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem having a plurality of resource managers 
associated with said plurality of resource objects, 
said metiiod comprising ttie steps of: 

storing within a reference monitor service 
a plurality of access control profiles, each includ- 
ing an Identification of a selected user and a 
specified level of authority associated with said 
selected user 

exchanging a selected access control pro- 
file between said reference nwnitor service and a 
selected resource manager in response to an 
attempted access of a particular resource object 
by a selected user; and 

utilizing said resource manager to control 
access to said particular resource object by said 
selected user, to the extent permitted by sakl 
specified level of authority. 

2. The method of providing variable autiiority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 1 wherein said plurality of 
access control profiles each Includes an Identlfh 
catton of a selected resource object 

3. The method of providing variable autiiority level 
user access control for a plurality of resource 
object within a distributed data processing sys- 
tem according to Claim 1 wherein selected ones 
of said plurality of access control profiles include 
an Identificatkm of a selected group of users and 
a specified level of authority associated with each 
of saki selected group of users. 

4. A metiiod of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
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tern having a plurality of resource managers user to input said access intent in conjunction 

associated with said plurality of resource objects. with an attempted access of a particular resource 

said method comprising the steps o^ object 

storing within a reference monitor service 
a plurality of access control profiles, each tndud- s 
ing an identification of a selected user and a 
specified level of authority associated with said 
selected user; 

exchanging a selected access control pro- 
file between said reference nrranitor service and a io 
selected resource manager in response to an 
attempted access of a particular resource object 
by a selected user; 

detennining the access intent of said 
selected user; and is 

utilizing said resource manager to control 
access to said particular resource object by said 
selected user by comparison of said access intent 
with said specified level of authority. 

20 

5. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 4 wherein said plurality of 
access control profiles each Includes an identlfi- 25 
cation of a selected resource object 

6. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 3o 
tern according to Claim 4 wherein selected ones 

of said plurality of access control profiles include 
an identification of a selected group of users and 
a specified level of authority associated with each 
of said selected group of users. 35 

7. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 4 wherein said specified 40 
level of authority associated with said selected 
user includes an indication of whether said selec- 
ted user may alter said particular resource object 

8. The method of providing variable authority level 4$ 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 4 wherein said specified 
level of authority associated with said selected 
user includes an indication of whether said selec- so 
ted user may view said particular resource object. 

9. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 55 
tern according to Claim 4 wherein said step of 
determining the access Intent of said selected 
user comprises the step of requiring said selected 
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